Icmp firewall rule in vyos 1.5

hook.ua · February 6, 2025, 12:56pm

Hi there,

very dumb question but could not rule out by ourselves

Is it enough to allow ICMP response on WAN interface

set firewall global-options all-ping 'enable'
set firewall global-options broadcast-ping 'disable'

or why need I explicit rules to see ICMP echo?

set firewall ipv4 name svtele_fw_in_213 rule 110 action 'return'
set firewall ipv4 name svtele_fw_in_213 rule 110 description 'Allow ICMP reply'
set firewall ipv4 name svtele_fw_in_213 rule 110 icmp code '0'
set firewall ipv4 name svtele_fw_in_213 rule 110 icmp type '8'
set firewall ipv4 name svtele_fw_in_213 rule 110 protocol 'icmp'
set firewall ipv4 name svtele_fw_in_213 rule 110 state 'established'
set firewall ipv4 name svtele_fw_in_213 rule 110 state 'new'
set firewall ipv4 name svtele_fw_in_213 rule 110 state 'related'
set firewall ipv4 name svtele_fw_in_213 rule 112 action 'return'
set firewall ipv4 name svtele_fw_in_213 rule 112 description 'Accept ICMP Unreachable'
set firewall ipv4 name svtele_fw_in_213 rule 112 icmp type '3'
set firewall ipv4 name svtele_fw_in_213 rule 112 protocol 'icmp'
set firewall ipv4 name svtele_fw_in_213 rule 114 action 'return'
set firewall ipv4 name svtele_fw_in_213 rule 114 description 'Accept ICMP Time-Exceeded'
set firewall ipv4 name svtele_fw_in_213 rule 114 icmp type '11'
set firewall ipv4 name svtele_fw_in_213 rule 114 protocol 'icmp'

Former doesn’t work and blocks echo why latter gives normal ping responses.

Thanks

Apachez · February 6, 2025, 2:05pm

As I recall it the global options is if the kernel should answer pings while you still need ACL / firewall rules to allow it through the network statck.

Or the other way around…

If you have ACL / firewall rules to allow for ICMP echo-request and echo-reply you still need to have the all-ping enabled for the VyOS box itself to reply for incoming pings - if that is disabled it wont reply.

hook.ua · February 7, 2025, 6:12am

Ok, got it.
Will check somehow.

Thanks.

16again · February 9, 2025, 8:02am

set firewall global-options all-ping 'enable' is about allowing VyOS to respond to incoming ICMP echo requests on all its interfaces.
However, it looks like you’re firewall rules are all for other incoming ICMP traffic:
Shown rules are for allowing responses to requests originated from your own side.
Like (110) response to outgoing ping requests, (112) “destination unreachable” return packets and (114) response from traceroute from your side

system · March 11, 2025, 8:03am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.